bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e

Analysis

max time kernel
143s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
Size

435KB
MD5

961954bbc411d4eafd72efad94a6e160
SHA1

0a0e1830d6b2a169527fe61b9111b4171cc5a01f
SHA256

bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e
SHA512

c70698005bd0974ace29ad991b3dd3cae82809a088ba6b090e1b2786bf72f87e5a87493aadab7d0adf4e2929bf7d0edc903154a590f15439543f45af1ad22cdb
SSDEEP

12288:ji8ssa1TX35mrEe0zfGr7c1+GHjcSczuhE:ji8sjTZmrEesbMGDSzu2

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
4920	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
388	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4920	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4920	rundll32.exe
4920	rundll32.exe
4920	rundll32.exe
4920	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	rundll32.exe
Token: SeDebugPrivilege	4920	rundll32.exe
Token: SeDebugPrivilege	4920	rundll32.exe
Token: SeDebugPrivilege	4920	rundll32.exe
Token: SeDebugPrivilege	4920	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
388	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4920	5000	961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe	86
PID 5000 wrote to memory of 4920	5000	961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe	86
PID 4920 wrote to memory of 388	4920	rundll32.exe	14

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:388

C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\tmp88F7.tmp", Install C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240814-1228.dmp
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tmp88F6.tmp

Filesize
577KB

MD5
56ba53de2646c5260d6bbe7c2006d275

SHA1
0449eba1d5b0f8b5ef5737429c1b349ff19cfddb

SHA256
e824123c7536555ec609aef31ddefc6ae084db686be7622ecf302390ad2eba5b

SHA512
4fec07c24beef58d8569e5053c55f13ff8b93326310ae1bea714763919bdb3e1988d82d0554739c3c0f36b5b86b24279dfd6d046f00bcdbd5724410cbeed35c9

Download Submit
C:\Users\Admin\AppData\Roaming\tmp88F7.tmp

Filesize
59KB

MD5
b1fb36e272f1ae7aacc6763500ee92a5

SHA1
0805ff1ee4618480db415fde38a24a046acdbab4

SHA256
0685506aadd8601ec782d017db4313e04d24148c8d6b17eb243a14be072f0d75

SHA512
d75e7feeb50d5e42a356e55ed83adda4a6ec0f50204db8429dd103daa8e16b37d7234674dd3b294336c44acbbf61c5bfba2043a0c865528c2b51639e87a5ecfa

Download Submit
memory/388-26-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

Filesize
64KB

Download
memory/388-27-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

Filesize
64KB

Download
memory/388-25-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

Filesize
64KB

Download
memory/388-18-0x000001E0DA4B0000-0x000001E0DA4CC000-memory.dmp

Filesize
112KB

Download
memory/388-28-0x000001E0DA4D0000-0x000001E0DA54B000-memory.dmp

Filesize
492KB

Download
memory/4920-6-0x0000000180000000-0x0000000180096000-memory.dmp

Filesize
600KB

Download